alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE WSO - WebShell Activity - POST structure"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&c="; content:"&p1="; content:"&p2="; content:"&p3="; fast_pattern; pcre:"/a=(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/"; classtype:attempted-user; sid:2015906; rev:4; metadata:created_at 2012_11_21, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_24;)